I’ve been sounding the warning about the coming demise of Windows XP for the last three years, and this is the last warning before it actually happens. In 2011 I wrote about why XP should die. In August of last year I reminded people that the apocalypse was approaching. On April 8 of 2014 support for Windows XP, and all Microsoft technologies running on Windows XP, comes to an end. Is this really an apocalyptic event? Perhaps so, at least for many people.

Keep in mind that there are several reasons why a PC might continue to run Windows XP past the April 8 deadline, and they include both high risk and low risk scenarios. Having a home PC that is connected to the Internet and is used for reading mail, surfing the web, playing downloaded games, and/or exchanging other kinds of files is part of the perfect storm that is coming if it still runs Windows XP. On the other hand, a Windows XP (likely embedded) system that is not connected to the Internet and never has external media (CDs, USB memory, etc.) connected to it is minimally vulnerable and we probably shouldn’t panic over it. I emphasize “never” above because the greatest piece of malware of recent years is Stuxnet, and it didn’t get on to Iranian centrifuges via the Internet. Viruses can still spread the old-fashioned way, through any kind of media that touches multiple machines.

So I’m going to continue to urge that Windows XP systems be upgraded, or more likely replaced, ASAP. Preferably before April 8. But in future blog entries I’ll also opine on how to keep your Windows XP systems moderately protected after that date. I’ve seen others write on that topic, but I think they fail to recognize (or at least point out) the pitfalls of their suggestions. I’ll try to do a reality check as I make mine.

One of the big problems with securing a Windows XP system against the apocalypse is that many such systems are tied to Windows XP in some difficult to change way. For example, a common suggestion is to switch from Internet Explorer 8, which will no longer be patched, to Google Chrome, which will be supported on XP for an additional year. But many corporate apps were written specifically to IE8 and won’t work with Chrome. Or it might be Windows XP is running on an embedded system and you can’t install Chrome even if you want to. You need the vendor to do it and they have not rewritten that app to work cross-browser. And they want you to buy a new system instead, or perhaps they have gone out of business entirely. So you are stuck with Windows XP and stuck without the ability to implement most suggestions for making it more secure.

That’s the kind of thing I hope to dig into in blog posts over the next couple of months.

I once again urge you to migrate off Windows XP in the next two months if at all possible. But if not, I will give you my take on ways to survive for a while in world in which your system is the prey of choice.

This week I just replaced the only XP system at a small non-profit I support. The XP system was not connected to the internet due a lack of a jack at its location. It was replaced with a Windows 7 Pro system so that all their PCs are running the same OS. All the systems are upgradeable to Windows 8 with the possible exception of one that I haven’t checked yet. So they should be good until 2020.

It isn’t clear if your target audience are corporates or consumers. Incidentally the Target POS systems that got hacked were not connected to the Internet, but were networking internally and running Embedded XP. (It’s support runs out in 2016 at the earliest.)

Perhaps the biggest problem with XP is that you have two choices to upgrade. You either buy new hardware with it preinstalled and then have to figure out how to get all your apps, documents, settings etc copied across. Or you “upgrade” on the same machine and have much of that wiped and have to reinstate all your apps, documents, settings etc. This is a heck of a lot of work.

A single data point: my dad solved that by getting an iPad. I wonder how loyal people will be Microsoft when forced into doing a lot of work? This all from the company that used to put so much effort into backwards compatibility. The company that did this https://www.youtube.com/watch?v=vPnehDhGa14

My audience is both, and I will differentiate in follow-on articles where it makes sense.

History tells us that few people upgrade existing machines, they mostly wait until they buy new ones, and I think Microsoft relied a little too heavily on that history. But nothing has really changed in that kind of migration in quite some time. Microsoft provides Windows Easy Transfer, and third-parties sell cables to make that easier where the network won’t suffice, for moving data and settings between machines. It works from Windows XP Installing (desktop) apps on new machines has always been a painful proposition, which is one of the things they tried to solve with the Windows Store. But that doesn’t make moving off XP any easier.

While an iPad might be the next computer someone chooses because that’s most appropriate for their usage pattern, it sure doesn’t help with the problem of migrating your stuff off of Windows XP. It just says to me that they weren’t really that tied to that stuff in first place. Yes Microsoft triggered a re-evaluation of need because it didn’t make the migration brain-dead simple and that will cost them a few users. Now if your Dad had chosen a Mac then this would be a more interesting data point. Because that says he still needed a PC but decided he didn’t need a Windows PC.

I’m about 99% sure that there was a clean upgrade-in-place path from XP to Vista. However, for the most part, no one took it. If you have an XP system that’s modern enough to run Win7, find an old installable copy of Vista and detour through there.

That sounds like a good idea as long as they can find drivers for any required devices attached to the XP machine. That’s where some of the OEMs got greedy. Many decided that if they had to write new drivers, they’d simply release new hardware with drivers only for that new hardware and get extra revenue by forcing the XP users to buy new hardware. Now some of that hardware that didn’t get new drivers was very old and it really didn’t make sense to write new drivers for that hardware.

This happened with the Win9x to WinXP upgrade as well, OEM’s didn’t provide drivers for (even slightly) old hardware. When Vista came out I remember thinking how dumb it was to make customers go through two driver disruptions in adjacent versions of Windows. People still remembered how painful it was (e.g., my father had to throw out a scanner and a printer) when he went to XP and just weren’t up for that again.

“running Embedded XP. (It’s support runs out in 2016 at the earliest.)”
What is funny is how artificial this distinction is, which is made worse by WEPOS/POSReady forcing these patches to be made public.

If you can take the time, SuRun is an option for XP (and 2000 for that matter). PCs running XP because of their age probably can’t upgrade to 7 as they won’t perform well. Server 2003 gets another year of support and would perform similarly on the same hardware, finance and transition costs aside.

I’m presuming Windows Fundamentals support ends with XP, right?

Presumably IE8-dependent intranet stuff could be run through XP Mode on 7 for that purpose only. You’re still exposing yourself but limiting some of the damage.

Still, the world won’t end. Businesses kept using NT4 for years after support ended and largely survived. Of course some had extended support. I presume somewhere out there are a bunch of non-public NT4 security hotfixes someone paid a pretty penny for.

I remember that. A company I worked for back in 2006 had a PC running NT4. It was running software required and provided by a quasi-governmental agency that sent data to the agency. The good news is that it was only needed once or twice a month and the firewall would only let it connect to a certain IP address. It was around sometime in 2009 or so that the agency provided another way for that data to get to the agency without requiring the NT4 only software.

Power users have options for securing systems that just don’t work for the average user, so that is one problem. And companies aren’t going to invest a lot in creating new solutions for XP, particularly if they involve user retraining.

NT4 is a bad example because it was almost exclusively a server offering and thus much easier to secure. It was also an era in which attacks were far rarer and much more often the work of hobbyists than organized crime. And the number of systems post-support was so small as to not be a very interesting target.

What is funny is that nobody paid much attention to end of support of Office 2003 despite the fact that privilege escalation bugs are not usable without another exploit that executed arbitrary code in the first place.

To some extent that is Apples vs. Oranges but the expiration of support for any software is cause for concern on the security front.

Security problems in the base platform, like an OS, is a much bigger threat than it is in any given application. That’s particularly true for something with an attack surface the size of Windows. But expiration of support on various versions of MacOS, Unix, or Linux distributions are just as worrying. And the use of old versions of Adobe Flash or Reader, or of Java, are huge issues.

But Windows XP is particularly worrisome because of how broadly used it still is. We’re still talking about hundreds of millions of machines on a worldwide basis. Because of the failure of Windows Vista new deployments of XP continued unabated through 2009 (so from 2001-2009) when Windows 7 was released and at the enterprise level they were continuing even as in 2013! I have mentioned previously that a new hospital near me that opened last summer had installed Windows XP machines. Meanwhile Office 2003 was superseded by Office 2007, which was reasonably successful, so had a much shorter active lifespan. Thus the problem is much more limited.

But most importantly, the vast majority of remaining Office 2003 deployments are on Windows XP machines and when people (even more so businesses) upgrade/replace those with Windows 7 (or later) they tend to replace Office as well. So addressing the Windows XP problem addresses the Office 2003 problem.

What is funny is they still decided that XP was going to exit mainstream support after only two years despite Vista RTM’s problems and to make it worse, by the time it did do so Win7 was just around the corner.